Kevin Mitnick's tips for countering social engineering

Former US black hat hacker Kevin Mitnick used social engineering to infiltrate companies during the 1990s. These days, he now uses his skills to help organisations understand how they can protect themselves.

Speaking at the CeBIT conference in Sydney, the CEO of Mitnick Security Consulting said that a lot of attacks involve the exploitation of insecure Web applications — and the exploitation of humans, through social engineering.

“With a lot of attacks, the foot in the door is through social engineering and then you can use technical exploits to gain access to targeted systems. That’s how the White House was hacked [in 2014]. The attackers got into the State Department using a phishing email,” Mitnick said.

He said that social engineering can involve several steps: First, for example, can be convincing people click on a link in an email.

“Once they click that link, it has to go to some site or they have to open up some application that exploits a vulnerability in their desktop whether that is the browser or Adobe Flash,” said Mitnick.

For companies trying to deal with social engineering, he said that user education and training is a “no brainer.”

Inoculation is the best remedy.

“Inform your employees that you do testing from time to time and have internal or external security people trying to con them,” he said.

"Is someone up at 3am using certain types of admin tools? If they are, send out an alert.”

Mitnick added that when he conducts penetration testing, he comes across password patterns.

“Once we are able to compromise the company and obtain their domain passwords in an Active Directory environment, we can determine the patterns that people use. For example, when Sony was hacked, [CEO] Michael Lynton’s domain user account was SonyML3.”

He suggested using a password manager that fills in the form with randomly generated passwords.

“I saw some technology at a conference where you could wear a bracelet which measures your heart beat. This is communicated as an authentication to your work systems. But who the heck is going to go to work and put on a bracelet?”

He said that the IT industry needs to come up with a transparent technology that can positively identify the user.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.